Stored Cross Site Scripting in webERP
A stored XSS vulnerability in webERP (≤v4.15.2, 5.0.0.rc+13) allows script injection via the Narrative field in orders, leading to privilege escalation. This was a fun one to create, but despite providing a demo and a simple fix, the vendor stopped responding after initial contact.
Discovery and Exploitation
While exploring webERP, I identified a stored XSS vulnerability within the ConfirmDispatch_Invoice.php page. The flaw allows attackers with order entry permissions to inject arbitrary JavaScript via the Narrative field during order creation. Once an admin or privileged user accesses the affected page, the script executes, leading to potential account compromise or privilege escalation.
This vulnerability could be leveraged to create an admin account without direct interaction, making it particularly dangerous in environments where multiple roles manage orders and invoices.
Vendor Response
After discovering the issue, I responsibly disclosed it to the vendor, providing a clear proof-of-concept, a working demo, and even a simple fix. Unfortunately, after initial contact, the vendor stopped responding, leaving the vulnerability unpatched.
Fix
A simple fix for this issue is to sanitize the Narrative field before rendering it in ConfirmDispatch_Invoice.php.
Modify line 473:
Before:
$Narrative = str_replace('\r\n', '<br />', $LnItm->Narrative);
After:
$Narrative = str_replace("\r\n", '<br />', htmlspecialchars($LnItm->Narrative, ENT_QUOTES, 'UTF-8'));
Conclusion
This was a fun vulnerability to analyze and exploit. While it’s always great to see vendors take security seriously, not all follow through with fixes. If you’re using webERP, consider applying mitigations such as input sanitization and Content Security Policy (CSP) rules to reduce the risk of XSS exploitation.
🔗 Full Advisory: webERP XSS - CVE-2025-2715